Siemens fixing bugs in control systems

Boston, December 23, 2011

Siemens said it is working to fix security flaws in industrial controls products that the US warned could make public utilities, hospitals and other critical parts of the country's infrastructure vulnerable to attack by hackers.

The German conglomerate, whose industrial control systems are widely used around the world, said on Thursday in a posting on its website that it had learned of the vulnerabilities in May and December of this year from security researchers Terry McCorkle and Billy Rios.

The US Department of Homeland Security issued an advisory that warned of the vulnerability, urging Siemens customers to minimise exposure of industrial control systems to the Internet to make them less vulnerable to attack.

"Successful exploitation of these vulnerabilities could allow a hacker to log into a vulnerable system as a user or administrator," the agency's Industrial Control Systems Cyber Emergency Response Team said in the advisory.

Rios told Reuters that one of the most serious of the vulnerabilities, known as an "authentication bypass," allows hackers to get around password protections on Web interfaces, which Siemens customers use to access industrial control systems. Siemens industrial controls systems are used to run an assortment of facilities from power generators, chemical plants and water systems to breweries, pharmaceutical factories and even uranium enrichment facilities.

"People with low skills will be able to use this authentication bypass," said Rios, who described the problems on his blog, www.xs-sniper.com.

Siemens said it had addressed some of the security vulnerabilities and that it would release its first security update to fix them next month.

The company does not know of any cases in which hackers had exploited the vulnerabilities to attack its customers, spokesman Alexander Machowetz said.

Some Siemens software is designed to automatically install services that make control systems accessible via the Internet, Rios said. They are installed with a default password, "100," which is published in user manuals that are available on the public Siemens website, he added.

"People set up control systems, and they don't realize that they are on the Internet, waiting for people to connect to them," Rios said. Siemens industrial control systems have been scrutinized by security researchers over the past few years.

The notorious Stuxnet virus, which crippled Iran's nuclear program, was first identified by researchers in June 2010. It targeted Siemens software used to control gas centrifuges that enriched uranium at a facility in Natanz, Iran.

Last May, the US government warned US water districts, power companies and other Siemens customers of another security flaw uncovered by researcher Dillon Beresford that made systems vulnerable to attack.

In August, Beresford disclosed at the Black Hat hacking conference in Las Vegas that he had found further vulnerabilities in Siemens products, including a "back door that could allow hackers to wreak havoc on critical infrastructure." - Reuters